The Hacker News — Cyber Security, Hacking, Technology News

A critical vulnerability has been discovered in the widely used Transmission BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users' computers and take control of them.

The vulnerability has been uncovered by Google's Project Zero vulnerability reporting team, and one of its researchers Tavis Ormandy has also posted a proof-of-concept attack—just 40 days after the initial report.

Usually, Project Zero team discloses vulnerabilities either after 90 days of reporting them to the affected vendors or until the vendor has released a patch.

However, in this case, the Project Zero researchers disclosed the vulnerability 50 days prior to the actual time limit because Transmission developers failed to apply a ready-made patch provided by the researchers over a month ago.

"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see," Ormandy said in a public report published Tuesday.

Proof-of-Concept Exploit Made Publicly Available

The PoC attack published by Ormandy exploits a specific Transmission function that lets users control the BitTorrent app with their web browser.

Ormandy confirmed his exploit works on Chrome and Firefox on Windows and Linux (Fedora and Ubuntu) and believes that other browsers and platforms are also vulnerable to the attack.

Transmission BitTorrent app works on server-client architecture, where users have to install a daemon service on their systems in order to access a web-based interface on their browsers locally.

The daemon installed on the user system then interacts with the server for downloading and uploading files through the browser using JSON RPC requests.

Ormandy found that a hacking technique called the "domain name system rebinding" attack could successfully exploit this implementation, allowing any malicious website that user visits to execute malicious code on user's computer remotely with the help of installed daemon service.

Here's How the Attack Works:

The loophole resides in the fact that services installed on localhost can be manipulated to interact with third-party websites.

"I regularly encounter users who do not accept that websites can access services on localhost or their intranet," Ormandy wrote in a separate post, which includes the patch.

"These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website "transfers" execution somewhere else. It does not work like that, but this is a common source of confusion."

Attackers can exploit this loophole by simply creating a DNS name they're authorized to communicate with and then making it resolve to the vulnerable computer's localhost name. Here's how the attack works:

A user visits malicious site (http://attacker.com), which has an iframe to a subdomain controlled by the attacker.

The attacker configures their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address controlled by the attacker) with a very low TTL.

When the browser resolves to 123.123.123.123, it serves HTML that waits for the DNS entry to expire (or force it to terminate by flooding the cache with lookups), then it has permission to read and set headers.

Ormandy said the vulnerability (CVE-2018-5702) was the "first of a few remote code execution flaws in various popular torrent clients," though he did not name the other torrent apps due to the 90-day disclosure timeline.

A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica, without specifying an actual date.

The world's popular torrent download website, The Pirate Bay, has again been in a new controversy—this time over secretly planting an in-browser cryptocurrency miner on its website that utilizes its visitors' CPU processing power in order to mine digital currencies.

The Pirate Bay is the most popular and most visited file-sharing website predominantly used to share copyrighted material free of charge. The site has usually been in the news for copyright infringement by movie studios, music producers and software creators.

The Pirate Bay has recently been caught generating revenue by secretly utilizing CPU power of its millions of visitors to mine a Bitcoin alternative called Monero without their knowledge.

The modern Internet depends on advertising revenue to survive, which apparently sometimes spoils users' experience. But The Pirate Bay is trying to choose a different approach.

Visitors to the Pirate Bay recently discovered a JavaScript-based cryptocurrency miner from Coin Hive (a service that helps websites monetise through CPU power) on the torrent site. This code makes use of the CPU power from the visitor's computer to mine Monero digital coins.

However, shortly after the issue was first reported by TorrentFreak, The Pirate Bay issued a statement on its website, saying that it tested the miner for just 24 hours to see if the miner could be used as an alternative to generate revenue, allowing it get rid of annoying ads on the torrent website altogether.

"This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running," says The Pirate Bay.

"Let us know what you think in the comments. Do you want ads or do you want to give away a few of your CPU cycles every time you visit the site?"

The Pirate Bay also clarified that the miner software should consume only 20 to 30 percent of CPU power and should be restricted to run in only one single tab.

No other further details were revealed by The Pirate Bay, but threads on Reddit suggested that the Pirate Bay users were not happy about the miner, with several users complaining that the website enabled the miner "without explicit knowledge or authorization of users."

Many users had called this idea "dumb," but borrowing website visitors' extra CPU resources to allow sites generate revenue could place an end to the shady advertisements.

But yes, users should be warned of any such miner by the respective website.

The question remains:

Would you allow in-browser cryptocurrency miners instead of annoying ads to help websites generate revenue?

The Pirate Bay — a widely popular file-sharing website predominantly used to share copyrighted material free of charge — is once again in trouble, this time in Europe.

The European Union Court of Justice (ECJ) ruled today that Dutch ISPs can block access to The Pirate Bay, as the Swedish file-hosting website facilitates an "act of communication" by allowing users to post and obtain torrents for pirated films, TV shows and music for free.

Dutch anti-piracy group Stichting Brein (BREIN) in 2009 filed a case against local Internet Service Providers (ISPs) Ziggo and XS4ALL, and in 2012, the District Court of The Hague ruled that the ISPs must block users from accessing The Pirate Bay.

However, Ziggo and XS4ALL, ISPs successfully overturned the decision two years later with the court ruling against BREIN and concluding that the blockade restricted the internet providers entrepreneurial freedoms.

BREIN group then took the same case to the Supreme Court, who eventually referred the case to the European Court of Justice for seeking further clarification and assistance on the technicalities of the issue.

The Court of Justice closely reviewed the whole case and today ruled that The Pirate Bay website can be blocked, as the operators of the site "play an essential role in making those works [torrent links to the pirated content] available," court explains.

The court accepted the fact that the Pirate Bay does not physically host any illegal content on their servers, but it did say the platform, which knowingly allows its users to share, search, and locate copyright-protected works for download, "may constitute an infringement of copyright."

The today’s ruling would not immediately affect the Pirate Bay, as the Dutch Supreme Court will take the final decision about blocking the website in upcoming months.

The final decision may also affect court orders in other countries, including Austria, Italy, Belgium, Finland, and its hometown Sweden, where The Pirate Bay and other torrent websites are already blocked.

Surprisingly, the operators of the Pirate Bay do not seem to be worried about the latest ruling as they believe the "blockades will eventually help users to get around censorship efforts, which are not restricted to TPB," one of the Pirate Bay moderators told the TorrentFreak.

After the shutdown of Kickass Torrents and Torrentz.eu, it's time for the torrent community to say goodbye to the second most popular torrent site in the world, ExtraTorrent.

Yes, the popular torrent site ExtraTorrent has permanently shut down. So, stop searching for 'extratorrents unblock' and 'extratorrents proxy' websites.

In a short but clear message on its homepage, the ExtraTorrent portal announced Wednesday that it has shut down for good, saying "farewell" to its millions of users.

The ShutDown Message Reads:

"ExtraTorrent has shut down permanently"

"ExtraTorrent with all mirrors goes offline.. We permanently erase all data. Stay away from fake ExtraTorrent websites and clones. Thx to all ET supporters and torrent community. ET was a place to be...."

The message does not mention the reason of shutdown of the torrent site but indicates that the popular torrent index will not return.

Launched in November 2006, ExtraTorrent became the world's second largest torrent index after The Pirate Bay in the last 2 years with millions of daily visitors and a particularly active community.

Since it's common for torrent sites to suffer shutdown and domain changes, torrent users are hardly disappointed by the news as they believe if one website goes down, it’s mirror will appear shortly.

This is the second active site (just before taken down) that itself said goodbye to millions of its users after Torrentz.eu, which – at the time of its closure – was the largest torrent website of its kind.

TorrentFreak contacted the site's operator, SaM who confirmed it was the end of the line for them, saying "It's time we say goodbye," without giving any further details about the reason for its closure.

SaM also confirmed that ExtraTorrent's release group ETRG is also gone now, but Ettv and Ethd could remain operational "if they get enough donations to sustain the expenses."

Hacker Leaks ‘Pirates Of The Caribbean 5’ On Torrent

Torrent websites have always been the free alternative to paying for content, but it causes billions of losses every year to the entertainment industry.

Just last month, hackers leaked ten episodes of the Season 5 premiere of Netflix's "Orange Is the New Black" that has been scheduled to debut June 9 and supposed to run 13 episodes. So, you can measure the damage it caused to Netflix and Larson Studios.

And just yesterday, hackers leaked the most awaited, upcoming movie, Pirates of the Caribbean: Dead Men Tell No Tales, on BitTorrent site The Pirate Bay with BluRay print after Disney refused to meet the attackers' demands.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Torrentz.eu was a free, fast and powerful meta-search engine that hosted no torrents of its own, but combined results from dozens of other torrent search engine sites including The Pirate Bay, Kickass Torrents and ExtraTorrent.

The meta-search engine has announced "farewell" to its millions of torrent users without much fanfare, suddenly ceasing its operation and disabling its search functionality.

At the time of writing, the Torrentz.eu Web page is displaying a message that reads in the past tense:

"Torrentz was a free, fast and powerful meta-search engine combining results from dozens of search engines."

When try to run any search or click any link on the site, the search engine refuses to show any search result, instead displays a message that reads:

"Torrentz will always love you. Farewell."

Launched back in 2003, Torrentz has entertained the torrent community for more than 13 years with millions of visitors per day.

However, today, the popular meta-search engine has shut down its operation from all Torrentz domains, including the main .EU domain (both HTTP and HTTPS version) as well as other backups such as .ME, .CH, and .IN.

Although many copyright holders were not happy with the site with both RIAA and MPAA have reported the site to the U.S. Government in recent years, says TorrentFreak, there is no news of any arrest or legal takedown of the site in this case.

Still, it would be fair enough to wait for an official announcement from the site owners.

The federal authorities have finally arrested the alleged mastermind behind the world's largest and most notorious BitTorrent distribution site Kickass Torrents (KAT), the US Justice Department announced on Wednesday.

After The Pirate Bay had suffered copyright infringement hardship, Kickass Torrents (KAT) became the biggest and most-used pirate site on the Internet, attracting millions of daily unique visitors.

However, the site appears to be offline after its alleged owner Artem Vaulin, a 30-year-old Ukrainian national was apprehended in Poland today, and the US government has requested his extradition.

Although some proxy sites seem to be currently up and running, its main site, https://kat.cr, appears to be down worldwide and most of the other Kickass Torrents domains, including kickasstorrents.com, kastatic.com, thekat.tv, kat.cr, kickass.cr, kickass.to, kat.ph, have been seized by the authorities.

Charges Filed Against Kickass Torrents Owner

According to criminal complaint [pdf] filed in US District Court in Chicago, Vaulin faces:

Two counts of criminal copyright infringement.

One count of conspiracy to commit criminal copyright infringement.

One count of conspiracy to commit money laundering.

The United States federal authorities say that Kickass Torrent has caused damages of more than $1 Billion to copyright holders.

Here’s what Assistant Attorney General Leslie R. Caldwell stated in a press release issued by the Department of Justice:

"Vaulin is charged with running today’s most visited illegal file-sharing website, responsible for unlawfully distributing well over $1 billion of copyrighted materials. In an effort to evade law enforcement, Vaulin allegedly relied on servers located in countries around the world and moved his domains due to repeated seizures and civil lawsuits. His arrest in Poland, however, demonstrates again that cybercriminals can run, but they cannot hide from justice."

In addition to the Kickass Torrents domain names seizure, the Chicago court has also ordered the seizure of bank accounts related to the notorious pirate website, as well as servers located in Chicago, USA, and Canada.

Kickass Torrents has been blocked in many countries in the past including the UK, Ireland, Italy, Denmark, Belgium, and Malaysia.

How Kickass Torrents Team Responds to Copyright Infringement Complaints:

According to the court affidavit, Vaulin claimed that his BitTorrent site KAT did not violate the Digital Millennium Copyright Act (DMCA), but they did.

When any film studio filed a notice-and-takedown for a potential DMCA violation, Kickass Torrents team responds like this:

Here’s How Authorities get their hands on the Kickass Torrents Owner:

An IRS agent went undercover to buy and advertise on the notorious site for five days, at the price of $300 per day.

This revealed Vaulin's e-mail account, trim@me.com, hosted by Apple, who provided a copy of his email inbox to authorities after being requested for help.

With the help of the Mutual Legal Assistance Treaty (MLAT), US officials were easily able to obtain information about the Kickass Torrent's operations from the bank accounts used to collect payments for advertisement slots.

"Records provided by Apple showed that tirm@me.com conducted an iTunes transaction using IP Address 109.86.226.203 on or about July 31, 2015," reads the complaint. "The same IP Address was used on the same day to login into the KAT Facebook."

An analysis of this account later disclosed the presence of Kickass Torrents servers in Chicago.

UPDATE: Kickass Torrents is DEAD! But Someone Just launched New Mirror

After the arrest of Kickass Torrent’s owner and seizure of primary Kickass Torrents domain, a mirror of the original Kickass Torrents website with identical design has been made available online in less than 24 hours.

The mirror for Kickass Torrents website has been hosted by another popular torrent site, IsoHunt, at kickasstorrents.website, hosting everything from the last year, to year-and-a-half.

However, the mirror lacks forums, community, and support of Kickass Torrents — the biggest draws to the original Kickass Torrents website.

One of the founders of notorious file-sharing website The Pirate Bay has been ordered to pay a fine worth nearly US$400,000 to several major record labels after their content was shared illegally via the platform.

The penalty has been imposed on The Pirate Bay co-founder Peter Sunde by a court in Helsinki, Finland.

Interestingly, Sunde, who already left the notorious file sharing site in 2009, said on Twitter that he lost the court case he did not even know about.

The court case was brought by the Finnish divisions of Sony Music, Universal Music, Warner Music and EMI, accusing the Pirate Bay of illegally sharing the music of 60 of their artists through its service.

The artists mentioned in the brief included "Juha Tapio, Teräsniska, Chisu, Deniece Williams, Suvi Vesa-Matti Loiri, Michael Monroe, Anna Abreau, Antti Tuisku, and Children of Bodom," according to the local outlet Digitoday.

However, the recording division did not accuse Sunde of direct infringement; rather it accused Sunde of his involvement in the Pirate Bay that indirectly made him responsible for infringements.

The Helsinki District Court ordered the 37-year-old to pay $395,000 (350,000 Euros) to the record labels.

"The record companies know that I have not had any part of TPB for ages, still suing," Sunde wrote. "Bullying is the new black."

Sunde did not appear in the court to defend himself, so the Finnish Court handed down a default judgment.

Sunde is now ordered to pay the full amount and costs of nearly $62,000 (55,000 Euros) to the local branch of the International Federation of the Phonographic Industry (IFPI).

Besides, the judge also threatened a fine of 1 Million Euros if the pirated content continues to be shared through The Pirate Bay website, though it is still not clear that how Sunde is supposed to do anything about the sharing of content on the site since he has no association with the service.

As TorrentFreak notes, Sunde and other co-founders of the Pirate Bay, including Fredrik Neij and Gottfrid Svartholm, also owes large sums of money to other copyright holders as a result of various court judgments over the years.

However, so far, none of those penalties have been "satisfied," and it is likely that this penalty will also go unpaid.

If you are a torrent lover and have registered on BitTorrent community forum website, then you may have had your personal details compromised, along with your hashed passwords.

The BitTorrent team has announced that its community forums have been hacked, which exposed private information of hundreds of thousands of its users.

As of now, BitTorrent is the most visited torrent client around the world with more than 150 Million monthly active users.

Besides this, BitTorrent also has a dedicated community forum that has over hundreds of thousands of registered members with tens of thousands of daily visitors.

A recent security alert by the team says the forum database has been compromised by hackers who were able to get their hands on its users’ passwords, warning its users to update their passwords as soon as possible.

The vulnerability is believed to be originated at one of its vendors, who alerted the BitTorrent team about the issue earlier this week.

"The vulnerability appears to have been through one of the vendor’s other clients. However, it allowed attackers to access some information on other accounts," μTorrent forum writes "As a result, attackers were able to download a list of our forum users."

BitTorrent and other torrent forums are also using Invision Power Board software and if the unnamed vendor in question is Invision Power Services Inc., then hundreds of popular discussion forums might have also been affected.

The team is also investigating further to learn if any other information of its users was accessed.

Security researcher Troy Hunt somehow got access to the stolen database and which he has already been uploaded to his Data breach Notification Site: Have I Been Pwned, which includes 34,000 BitTorrent Forum users' email addresses, usernames, IP addresses, and salted SHA1 hashed passwords.

All users are strongly advised to change their forum passwords as well as passwords for other sites, in case they are using identical to the one used on the forum.

Update: μTorrent forum not hacked. I mistakenly named μTorrent previously, instead of BitTorrent. As soon as we realized it, I have updated this article with correct information.